Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded

Eero Häkkinen Wed, 19 Mar 2014 11:01:24 -0700

Package: libpam-oath
Version: 2.0.2-2
Severity: grave
Tags: security upstream patch


The OATH Toolkit PAM module does not check whether strdup allocations 
succeeded. This may result in null pointer dereference and application 
crash.

Depending on the use of the PAM module, this may be remotely exploitable.

diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
index 8379358..e2d3363 100644
--- a/pam_oath/pam_oath.c
+++ b/pam_oath/pam_oath.c
@@ -146,6 +146,12 @@ pam_sm_authenticate (pam_handle_t * pamh,
   char *query_prompt = NULL;
   char *onlypasswd = strdup ("");	/* empty passwords never match */
 
+  if (!onlypasswd)
+    {
+      retval = PAM_BUF_ERR;
+      goto done;
+    }
+
   parse_cfg (flags, argc, argv, &cfg);
 
   retval = pam_get_user (pamh, &user, NULL);
@@ -265,6 +271,11 @@ pam_sm_authenticate (pam_handle_t * pamh,
     {
       free (onlypasswd);
       onlypasswd = strdup (password);
+      if (!onlypasswd)
+        {
+          retval = PAM_BUF_ERR;
+          goto done;
+        }
 
       /* user entered their system password followed by generated OTP? */

Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded

Reply via email to